Strict-Transport-Security is enforced on all websites
In ISPConfig 3.1 (beta), when I enable SSL for a website it will automatically force the Strict-Transport-Security header, which is unwanted.
This website serves two types of content depending on whether the website is accessed through http or https: http will result in a static web page provinding general information, https will provide a webapp that requires a login and handles sensitive data.
By specifiying the Strict-Transport-Security this effectively renders the HTTP-version unusable once the HTTPS site has been visited.
HSTS should not be enabled by default as it may cause unexpected results. It should be a option setting, with the ability to change the max-age parameter, the subdomain policy and the preload setting.
To resolve this issue, I had to add
Header always unset Strict-Transport-Security
to the Apache Directives in the website configuration, but that feels a bit in reverse to me.